[英]AWS: How to properly authenticate a user against Cognito Pool and use it for Cognito Federated Identity?
我正在开发一个使用两个身份验证提供程序的应用程序:
对于前者,我没有问题,一切都按预期进行。 但是,在使用Cognito用户池设置身份验证时,我遇到了另一堵墙。 我正在使用AWS开发工具包2.4.9,XCode 8和Swift 3。
我知道已经提出了很多问题,并且有很多“指南”。 但是,其中许多都是针对过时的文档和SDK的。 即使是正式的AWS文档也已过时。
我正在经历的身份验证步骤如下:
1.配置初始认知池
/// Set the default service configuration
let serviceConfiguration = AWSServiceConfiguration(region: AWSRegionType.usEast1, credentialsProvider: nil)
AWSServiceManager.default().defaultServiceConfiguration = serviceConfiguration
/// Create a pool configuration and register it for a specific key to use later
let poolConfiguration = AWSCognitoIdentityUserPoolConfiguration(clientId: appClientID, clientSecret: appClientSecret, poolId: poolID)
AWSCognitoIdentityUserPool.registerCognitoIdentityUserPool(with: poolConfiguration, forKey: poolKey)
/// Create a pool for a specific predefined key
pool = AWSCognitoIdentityUserPool(forKey: poolKey)
2.根据Cognito用户池对用户进行身份验证
user.getSession(username, password: password, validationData: nil).continue({ (task) -> AnyObject? in
if let error = task.error as? NSError {
completionHandler(error)
return nil
}
let session = task.result! as AWSCognitoIdentityUserSession
let token = session.idToken!.tokenString
let tokens : [NSString:NSString] = ["cognito-idp.us-east-1.amazonaws.com/\(self.poolID!)" as NSString : token as NSString]
let identityProvider = CognitoPoolIdentityProvider(tokens: tokens)
let credentialsProvider = AWSCognitoCredentialsProvider(regionType: .usEast1, identityPoolId: self.identityPoolID, identityProviderManager: identityProvider)
/// Set the default service configuration
let serviceConfiguration = AWSServiceConfiguration(region: AWSRegionType.usEast1, credentialsProvider: credentialsProvider)
AWSServiceManager.default().defaultServiceConfiguration = serviceConfiguration
credentialsProvider.getIdentityId().continue({ (task) -> AnyObject? in
completionHandler(task.error as NSError?)
return nil
})
return nil
})
3. CognitoPoolIdentityProvider类
class CognitoPoolIdentityProvider : NSObject, AWSIdentityProviderManager {
var tokens : NSDictionary = [:]
init(tokens: [NSString : NSString]) {
self.tokens = tokens as NSDictionary
}
@objc func logins() -> AWSTask<NSDictionary> {
return AWSTask(result: tokens)
}
}
4.将数据存储到Cognito联合身份
这一切顺利进行,没有任何错误。 但是,现在我想将我从Cognito池中提取的数据存储到特定的Cognito联合身份数据集,所以我在调用: userProfile.synchronize().continue
并得到以下结果:
getCredentialsWithCognito:authenticated:customRoleArn:] _ block_invoke | GetCredentialsForIdentity失败。 错误为[错误域= com.amazonaws.AWSCognitoIdentityErrorDomain代码= 8“(null)” UserInfo = {__ type = NotAuthorizedException,message =禁止访问身份'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' 。}]
2016-11-10 10:27:16.947365 xxxxxxxx [19867:5614838] AWSiOSSDK v2.4.11 [错误] AWSIdentityProvider.m行:304 | __52- [AWSCognitoCredentialsProviderHelper getIdentityId] _block_invoke.255 | GetId失败。 错误为[错误域= com.amazonaws.AWSCognitoIdentityErrorDomain代码= 8“(null)” UserInfo = {__ type = NotAuthorizedException,消息=此身份验证池不支持未经身份验证的访问。}] 2016-11-10 10:27:16.947726 xxxxxxxx [19867:5614838] AWSiOSSDK v2.4.11 [错误]
AWSCredentialsProvider.m行:577 | __44- [AWSCognitoCredentialsProvider凭据] _block_invoke.352 | 无法刷新。 错误为[Error Domain = com.amazonaws.AWSCognitoIdentityErrorDomain代码= 8“(null)” UserInfo = {__ type = NotAuthorizedException,消息=此身份验证池不支持未经身份验证的访问。}] 2016-11-10 10:27:16.948452 xxxxxxxx [19867:5614838] AWSiOSSDK v2.4.11 [错误]
AWSCognitoDataset.m行:352 | __30- [AWSCognitoDataset syncPull:] _ block_invoke | 无法列出记录:Error Domain = com.amazonaws.AWSCognitoIdentityErrorDomain代码= 8“(null)” UserInfo = {__ type = NotAuthorizedException,消息=此身份验证池不支持未经身份验证的访问。} [10:27:16]:saveSettings AWS任务错误:操作无法完成。 (com.amazonaws.AWSCognitoIdentityErrorDomain错误8。)
更改日志级别后,可以看到以下内容:
//请求
2016-11-10 10:33:08.095735 xxxxxxxx [19874:5616142] AWSiOSSDK v2.4.11 [Debug] AWSURLSessionManager.m行:543 | -[AWSURLSessionManager printHTTPHeadersAndBodyForRequest:] | 请求正文:{“ IdentityId”:“ us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx”}
//响应
2016-11-10 10:33:08.714268 xxxxxxxx [19874:5616154] AWSiOSSDK v2.4.11 [Debug] AWSURLSessionManager.m行:553 | -[AWSURLSessionManager printHTTPHeadersForResponse:] | 响应标头:{Connection =“ keep-alive”; “内容长度” = 129; “ Content-Type” =“ application / x-amz-json-1.1”; Date =“星期四,2016年11月10日09:33:08 GMT”; “;” x-amzn-ErrorMessage“ =”禁止访问身份'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx'。 “ x-amzn-ErrorType” =“ NotAuthorizedException:”; “ x-amzn-RequestId” =“ b0ac6fb0-a728-11e6-8413-1fdb846185bb”; }
上面的请求是GetID API调用。 显然,它与来自AWS Docs的请求格式不匹配: http : //docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetId.html 。
根据AWSServiceManager类,我们有以下内容:
/**
The default service configuration object. This property can be set only once, and any subsequent setters are ignored.
*/
@property (nonatomic, copy) AWSServiceConfiguration *defaultServiceConfiguration;
这意味着设置新服务配置是没有意义的,但是我看不到其他方法来刷新通过Cognito用户池身份验证获得的凭据。
就是这样。 有任何想法吗?
谢谢
看来是从您得到的错误
Access to Identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' is forbidden
您在第一部分中获得的凭据无法访问您进行同步调用的身份,因此您的身份可能已更改。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.